Blog Posts From Network Sheriff Tagged With videohttps://learningnetwork.cisco.com/blogs/network-sheriff
Mon, 29 Mar 2010 18:22:28 GMTJive Engage 7.0.3.1 (http://jivesoftware.com/products/)2010-03-29T18:22:28ZBlog Burn Outhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/03/29/blog-burn-out
<!-- [DocumentBodyStart:493ad807-2b86-4a5b-8442-f5a0a3305910] --><div class="jive-rendered-content"><p>I love the old joke that Steve Martin used to do in his "wild and crazy guy" days about the new stereo sounding great for the first few weeks, then after a month it was **** again. That is kinda were I am with blogging now a days. Don't get me wrong, I still enjoy it and love to share info. It's just now it is seeming more like a job instead of a creative outlet that I can not wait to do. That is not a good place for me normally. I have been blogging weekly here, on Network World and BMighty plus writing articles for Hackzines and professional publications for the past four years and I am tired. I refuse to write a low end or cheapen the content of this blog. I will always deliver fresh stuff or no stuff.&nbsp; So to that end, I will still be blogging here on the Cisco Learning Network but just not weekly. I do feel very strongly about the incredible mission the Cisco Learning Network is doing. Networking is my life's blood (along with some cool Newcastle Ale) and shared knowledge is the only knowledge with having. I will be dropping a few of my other writing commitments but not this blog. I just need to catch some fish, play some cards, kick the football Lucy is holding and then I will be back at it again weekly.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Respectfully</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol</p><p>When Newcastle Brown Ale moved it plant from Netcastle to Gateshead they lost their PGI status.</p></div><!-- [DocumentBodyEnd:493ad807-2b86-4a5b-8442-f5a0a3305910] -->Mon, 29 Mar 2010 18:22:28 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/03/29/blog-burn-out2010-03-29T18:22:28Z6 years 8 months ago30https://learningnetwork.cisco.com/blogs/network-sheriff/comment/blog-burn-outhttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1613Hide and Seekhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/03/17/hide-and-seek
<!-- [DocumentBodyStart:fa3987c0-cdaf-4ed1-a840-9ae4c843a4e9] --><div class="jive-rendered-content"><p><p class="MsoNormal">A few months back I took a fantastic class called Urban Escape and Evasion. You can read about it here. One of the principles taught in that class was the art of hiding in the open. The trick is looking like the things folks naturally look away from and have done it so often, that it is a normal part of our routine to not process this information. Folks like construction workers, civil servants, bikers, Joe business **********, etc&hellip;slip in and out of our day with near invisibility.</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">There are a bunch of reasons to hide info. Normally, if you REALLY want to hide data you just encrypted it with folks in your key circle and its Newcastle time. However, sharing stuff with folks outside of the &#8220;circle of trust&rdquo; meant hiding it in plain site. We still do it for practice to see if folks could find any clues to keep our skills sharp. Kinda like a Paul McCartney is dead thing for us geek type folks. Back in the day, we used to hide URL or code in plain site by using Based64 encoding then hide them in the common URL and slip thru just about everything. Things have sure changed big time.<span>&nbsp; </span></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Malware jockeys are hiding data in plain site by encoding it is multiple places but then having Java Script assemble it at runtime. This vector is harder to find then an empty seat at a Jek Porkins autograph signing. <span> </span>I started working with the Windows based tool; Malzilla<span>&nbsp; </span><a class="jive-link-external-small" href="http://malzilla.sourceforge.net/" rel="nofollow" target="_blank">http://malzilla.sourceforge.net</a> to look for malware hiding in plain site.</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Malzilla&#8217;s small footprint is about this size an average Python script for Linux; around 3Meg. It is very easy to use, just copy the URL into the URL box at the bottom of the first tab and you&#8217;re off to the races baby! You go need to understand coding principles to get the hang of the info but it&#8217;s not that bad. They have a nice collection of tutorials on the website to get you going. Although, Malzilla does a good job of sandboxing your machine, as a best practice, I never ever analyze malware without using a dedicated sandbox machine running Virtual Box <span> </span><a class="jive-link-external-small" href="http://www.virtualbox.org/" rel="nofollow" target="_blank">http://www.virtualbox.org</a> If you are looking for a good malware analyzer with a nice supply of decoders and access to the full source code that runs on Windows, it&#8217;s hard to beat Malzilla. I keep it in my tool box for sure.</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Talking about hiding stuff without giving a node to steganography is like going to Germany and not driving on the Autobahn. There are a ton of methods of hiding data inside of all types of files. Hey, talk about being ignored; spam emails are ignored more then a suggestion to have a tofu night at karaoke bar. I have blogged before about a great tool to use here; <a class="jive-link-external-small" href="http://www.spammimic.com/" rel="nofollow" target="_blank">http://www.spammimic.com</a><span>&nbsp; </span>But what about stuff for hiding files inside of files? I need proggies better than and not as noisy as STREAMS by Microsoft via their ADS subsystem. Stuff like Hydan, the ultra easy to use Data Stash, Xidie, etc&hellip;one of my favs is StegaNote. It&#8217;s a little older Windows tool but it is still hard to beat, ultra simple to use and nearly impossible to recover data from. With these tools I can hide the secret of life&hellip;the Komani Code (&#8593;, &#8593;, &#8595;, &#8595;, &#8592;, &#8594;, &#8592;, &#8594;, B, A) The flip side of the coin here is it is very difficult to detect and even recover the hidden info. I have had some luck with StegDetect but it is still a very tough job, so pack a lunch. Why should you care about this stuff? Understanding Steg (as it is called by then cool crowd) is like learning lock picking. Many locked doors are now open and you can see a whole new world of communication on the Internet. Things like malware results will almost never be posted in an Excel spreadsheet, notepad file or ftp server. They will be hidden in stuff you that you ignore by design&hellip;like a web site logo&hellip;perhaps&hellip;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Finally, on this road to finding hidden stuff, let&#8217;s take a quick look at hard drives. Security is really getting better and better each software roll. Hackers/Malwarriors are looking at other vectors to get into systems. One of the best ways to scrap info is purchasing used systems and harvesting the hard drive. It is very difficult to get rid of data once it has been magnetically written to a drive. Deleting data does not work, even if you run defrag afterwards or delete a partition or even reformat the drive. The data is not removed, it is just reflagged for use. I wrote a program a few years back that looks for Windows deleted files by simply looking for any data flagged E5h in the first bit position then recover and replace it with the letter Z. It still works great!</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Many folks, when they get a system ready for resell they will not take the time to run disk wiping software because that normally also means reinstalling the OS and all of the driver packs. So they either manually delete data files and run disk defrag or they delete a partition and believe that has covered their tails. IF they are lucky, they will only make headlines. However, most of the time this mistake is a gold mine of info that is a closely guarded secret. There are many ways to mine for that gold, but here is the easiest. When it comes to scrapping an old hard drive, I use the BlacX external disk reader from Thermaltake <a class="jive-link-external-small" href="http://www.thermaltakeusa.com/Product.aspx?S=1268&amp;ID=1642" rel="nofollow" target="_blank">http://www.thermaltakeusa.com/Product.aspx?S=1268&amp;ID=1642</a> and the fantastic recovery software from DiskInternals; Partition Recovery <a class="jive-link-external-small" href="http://www.diskinternals.com/partition-recovery/" rel="nofollow" target="_blank">http://www.diskinternals.com/partition-recovery/ </a><span> </span>and the data reappears like it never left. That&#8217;s because it never did. If it is an older system, I run GRC&#8217;s SpinRite first, and then I use Partition Recovery. Be careful with older hard drives. Hey man, hard drives are cheap and I consider them a loss and not included with a used system.<span>&nbsp; </span>Then I smash my platters with a hammer. Not only is it secure but it&#8217;s therapeutic as well! Well, it&#8217;s time for my marathon conf calls to begin. If you know of a class that can help me disappear on these please forward the info to me!</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Jimmy Ray Purser</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Trivia File Transfer Protocol</p><p class="MsoNormal">Surfing the Internet may help delay dementia because it creates stimulation that exercises portions of the brain. YES!</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p></p></div><!-- [DocumentBodyEnd:fa3987c0-cdaf-4ed1-a840-9ae4c843a4e9] -->jimmy_ray_pursersecuritydebughackingWed, 17 Mar 2010 16:45:22 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/03/17/hide-and-seek2010-03-17T16:45:22Z6 years 9 months ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/hide-and-seekhttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1606Build Your Own SAN!https://learningnetwork.cisco.com/blogs/network-sheriff/2010/02/19/build-your-own-san
<!-- [DocumentBodyStart:b5a61a37-b929-4d3d-b8aa-c00d53c23d75] --><div class="jive-rendered-content"><p>I have said it many times before in this and other forums that I believe data center technologies are THE career path to get in right now for the future. Especially, if your background is plumbing....routin' n switchin'</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>But man it just mega tough to get started. Data center gear is expensive and truthfully, what tripped me up was the division between data center and storage. Each area has very specific equipment and design needs. This became very evident to me when planning out a TechWiseTV show on Data Center Interconnect. Like any good route switch engineer; I planned the show with OTV, VPLS, 10GB, Nexus, VMotion, etc... plumbing right?</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Come on No Whammys, No Whammys, No Whammys....BUZZ!! *******!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Steve Phillips one of the Data Center (I mean Data Centre) geeks at Cisco said; "What about your data back on the SAN?" of course it was in a English accent so it sounded awesome. Of course I replied; Dude, isn't Manchester playing Arsenal or something now?</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>More cost, more time, more engineering resources. Heck man, isn't a sneakernet and external drive just as good here? A little exercise would do some of these fatties good. The problem is our networks are changing from the top to the bottom tiers. Even SMB's can greatly benefit from a optimized data center. But I am ALWAYS looking for a way to do more stuff with Open Source options. It is not a anti-corp save the planet type of BS. I like Open Source because I can customize it and see if I really honestly need the extra stuff and bloated code base commercial code offers.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I started looking at my designs to see where I could test and add Open Source. The SAN/NAS stuck out like Klingon at Celebration. I went to Best Buy and picked up three 1TB external drives (and Bioshock 2 which is not only awesome but nightmare generating creepy man!) and went to work...well OK I played Bioshock 2 for a few hours, THEN I went to work.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I narrowed down my homegrown SAN/NAS to two options; FreeNAS <a class="jive-link-external-small" href="http://freenas.org/" rel="nofollow" target="_blank">http://freenas.org/</a> and OpenFiler <a class="jive-link-external-small" href="http://www.openfiler.com/" rel="nofollow" target="_blank">www.openfiler.com</a> First up, FreeNAS.</p><p>FreeNAS works on both AMD and x86 platforms. I downloaded the AMD 64 bit image and it clocked in around 78Meg. Set up is a piece of cake. The imagine is a LiveCD so I just booted up with the CD in the drive and then a NCurses type of console interface displayed so I just installed and config'ed everything from there. Mega high props on the ease of install FreeNAS! Since I am trying to emulate a SMB network, I decided to test to see how well the iSCSI initiator worked. The GUI for FreeNAS is simple, clean and ease to navigate. My targets were a Windows server running StarWind <a class="jive-link-external-small" href="http://www.starwindsoftware.com/" rel="nofollow" target="_blank">http://www.starwindsoftware.com/</a> and another instance of FreeNAS. Both worked perfectly. Well, FreeNAS worked great...I fat fingered an target entry but even that showed up in the diag page.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I had a a uid 20 inumber 3008 on /: filesystem full error in my logs which made no sense to me with 3TB worth of space. So I RTM'ed and found the error was once again mine. Samba puts it&#8217;s Recycle Bin in the root directory of the share. Since I created a share with a path of /mnt, deleting files on any of your mounted drives casued them to be moved into /mnt/.recycle and quickly overflowed the root filesystem. Oops!! This is a fantastic Open Source product! Highly recommended!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Now it's on to Openfiler. When I first saw the website with the glaring ad; "Purchase Add Ons" I thought I was at a used car lot. Openfiler is a x86 platform program. I downloaded the ISO and it clocked in around 316MB. When I plugged in the CD and started the install process a purple screen popped up and I thought I was installing switch management software from Extreme! Install was straight forward and very simple. Too easy... OpenFiler is not really a program as much as it is appliance software. It is based on the venerable rPath Linux which is a rock solid stable version of Linux.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>After getting Openfiler installed, the UI is just beautiful. Running it thru the same iSCSI tests I put FreeNAS thru, Openfiler passed with flying colors. It also offered some nicer graphs and charts that FreeNAS did not. I also easily tied Openfiler into my Active Directory in mixed mode and it worked great. This is a very feature rich; roll your own SAN appliance software. I super mega highly recommend Openfiler! I absolutely love this program as much as fishing with a top water Bass bait on a sunny day!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Both of these products worked great for file based NAS. The next test is for block mode SAN. Openfiler is the only product that does this over fiber channel. I will post results later on. FreeNAS does appear to have better documentation then Openfiler as well as community online postings. But mercy sakes, the features in Openfiler make it a winner to me! It is hard to go wrong with either choice.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Data Center cost add up fast! Kinda like playing Sim City and purchasing an Expo, Stadium, Zoo at the start and then not having the cash to add roads, power or plumbing. These Open Source SAN solutions give us geeks the ability to beef up the plumbing more and still have a great overall solution. Now Big Daddy is headin' back to Rapture to look for Sophia Lamb....</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol<br/> Contrary to popular belief and legend, Daniel Boone not only did not wear a coonskin cap, he detested them. Instead, Boone wore a felt cap.</p></div><!-- [DocumentBodyEnd:b5a61a37-b929-4d3d-b8aa-c00d53c23d75] -->jimmy_ray_pursercareersdata_centersanFri, 19 Feb 2010 16:23:01 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/02/19/build-your-own-san2010-02-19T16:23:01Z6 years 10 months ago30https://learningnetwork.cisco.com/blogs/network-sheriff/comment/build-your-own-sanhttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1578Video deployment is not all about Multicasthttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/02/03/video-deployment-is-not-all-about-multicast
<!-- [DocumentBodyStart:080ea6c2-8f5b-45da-8a15-1f72edf5d4b1] --><div class="jive-rendered-content"><p>3...<br/>2..<br/>1.<br/>Caffeine sequence initiated...We have lift off!<br/>&nbsp; <br/>I rolled my fat **** out of a warm bed on a cold Wisconsin morning to conduct a WebEx Workshop on <strong>"Designing Your Network For The NEW Video"</strong> to a group of engineers in India today. I think they were surprised when I told them that this is NOT a Multicasting workshop.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>So was I...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Video has really taken a major turn in how we deploy it in our networks. Back in the olden days of 5 years ago, we used to say stuff like convergence ready for Voice Video and Data. Truthfully, that meant Voice: Yes, Data: Yes, Video: Well, based upon today's web cams and low efficiency codex...ummm sure, spelling AVVID with two V's is much cooler then just one.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>So engineers like me started laying out rendezvous points, learning our *,G and making heads or tails of IGMPv2 over IGMPv3. Multicast was King and life was good. Plus many other apps and routing protocols also use multicasting so it was fat city all around you know.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>But then a couple major things happened that changed everything...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Video turned into a HD and the pictures were amazing. We started watching the Indianapolis Colts put the hurt on other NFL teams and the picture was so clear you could tell the linebackers that flossed from the ones that didn't.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>High quality video production tools once reserved for the deep pockets of Hollywood were now in the hands of regular folks. Videos became a hit. So much so that we integrated video cameras on cell phones and Flip cameras. Folks wanted video at all times. Don't believe me, fire up a video and see how many folks shoulder surf you to see what you are watching. Even without sound, video rules and captures attention. Just like the over used and tired line from Field of Dreams; "Get me a beer and hotdog so I watch these dudes play ball" PCs followed Mac's (insert snarky Mac elitist comment here) and came with web cams built in and now new VOIP phones have video cams built right in. Video is on your network.It's kinda like video is the new wireless....</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>When it comes to planning your network for the "NEW" video please do not make the same early mistakes I made early on:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>- Just because your network can handle voice does not mean it is ready for video.<br/>- Don't think it's all about multicasting. Multicast play a small role in video today.<br/>- Your on video for the enjoyment of the world...all...the...time...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Here is why; an HD video transfer breaks down to simple math. In HD parameter of <strong>1080p30 </strong>basically means that:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>- I have <strong>1080 lines of horizontal resolution </strong>that are combined with <strong>1920 lines of vertical resolution. </strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>HDTV 101 right? you can learn that from a Best Buy ad. Let's take it out farther. 1080p30 means that I have 2073600 pixels per screen. The "p" (progressive) means that every time I receive a frame each and every line is refreshed and redrawn. If you see an "i" (interlaced) that means that every other line is refreshed when I receive a frame. The "30" means that I am receiving frames at a rate of 30 per second. That's a lot of refreshing going on per second. In network planning terms putting HD on your network looks like this:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>2073600 pixels * 3 Bytes (each pixel hold 3 bytes of info) * 8 bits per byte sampling * 30 frames per second = 1.5GB</strong> of information! Yowza!! something had to be done here to get this to work on a network. Enter H.264 compression.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>H.264 actually compresses this info from a whoppin' 1.5GB down to 5Meg! That is a 99.8% compression ratio. Kinda like those vacuum space bag things to store my old 38 Special tshirts in! Very impressive! <strong>But here is where the problems start.</strong> Ethernet by nature is a lossful medium. Normally, that is not a big deal. Heck on the best VOIP network we can work just fine with 1-3% loss of frames. Plus our personal tolerance for poor voice has went up with cell phones. Especially if you have AT&amp;T.&nbsp; How much information do you think you lose in just one compressed H.264 frame? A noticeable amount for sure. One lost frame will result in screen pixelation (those little squares that pop up on an imagine).</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Voice is actually like a group a well trained and disciplined military troops. It's a very well behaved and predictable service. Oh sure it's time sensitive but the frames are small, constant size (for example g7.11 frame is always going to be 160 bytes plus the overhead and flow at the rate of one every 20mS), low bandwidth requirements, ect...&nbsp; More and more I am seeing voice networks deployed without any QoS. I do not recommend it, but folks are doing it without problems. Makes sense with pipe sizes and high speed ASICs, TCAMs in today's gear.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Video on the other hand is like a preacher's kids when they leave home and go to college. They can be all easy going one minute, then nickel beer night hits and well you know the rest of the story... <strong>Video has a real "bursty"</strong> nature. The amount of information transferred depends upon how much movement is going on. When your screen goes thru a refresh cycle the minimal amount of lines you have to repaint the better. The truth lies in the math so if we are transferring 5M per second @ 30 frames per second that equals out to a frame every 33mS. BUT the amount of info transferred in a video frame depends on the movement so 33mS is an average and can burst way beyond that. Now you know why Telepresence rooms look like as sterile as they do. It has little to do with a unified experience and more to do with a bandwidth conservation methodology. </p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>What's important here:<br/>- <strong>High Availability</strong> to the MAX! We can not loose packets. Hang on to those packets like a coupon for free chicken at Popeye's!! Nothing pisses an Executive more then to look like Max Headroom on a video conference. The tolerance is&nbsp; 0.0-.05% loss but it is really 0.0 once you factor in that things only break when management is using it and that happens around performance eval time...<br/>For my HD networks, I run ISSU/NSF/SSO on my 4500's and VSS on my 6500 as well as StackWise+ on my edge devices. My routing protocols like EIGRP or OSPF are config'ed for sub-second recovery. I avoid STP if possible and use Multi chassis Etherchannel IF I can.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>OK, time to look at latency. Our target for latency is similar to that of VOIP 150mS one way. But truthfully, our range is 150-200mS one way. There are three other things to consider when working out your latency budget. Two you can not control on one you can.<br/><strong>- Serialization:</strong> Is like trying to get your drunk cousin to leave your house, it's a fixed time. This is the time it takes to convert a L2 frame into a L1 group of pulses (electro/optical) This is fixed. The important thing to know here is WHAT the serialization delay is on your gear. <br/><strong>- Propagation Delay:</strong> This is the actually delay it takes to go from point A to point B. If you are planning out latency, propagation is going to be 95% of your budget. This is also beyond your control because it is a property of physics. It take 120mS for light in fiber optics to travel 15K miles. <br/><strong>- Queuing:</strong> This is totally within our control. Queuing delay is the chief cause of jitter. This is where solid QoS planning comes into play. The two authorities on QoS planning/mapping are RFC 3246 which is a standard and RFC 4594 which is a best practice or Informational RFC. You absolutely positively must use QoS policies on a HD network.<strong> This is the ONLY area we have to influence latency</strong> since the other two are fixed.&nbsp; </p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Make sure that the switches you either have or use have the nuts to support the queuing you need. Cisco list out their buffer with equations like this: 1p3q3t, 1p7q4t, etc... that breaks down to this:<br/><strong>1p:</strong> One single strict priority queue<br/><strong>3q:</strong> Thee weighted round robin queues (which break down to 70/25/5. The number must always equal 100)<br/><strong>3t:</strong> three trigger or weighted random early detection drop thresholds.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Man alive, there is so much more to write here. Cisco Press does have a great book on this titled: <strong>Cisco Telepresence Fundamentals </strong><span>and some great design stuff is also located at </span><a class="jive-link-external-small" href="http://www.cisco.com/go/srnd" rel="nofollow" target="_blank">http://www.cisco.com/go/srnd</a><span> under the video section.</span></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Just keep in mind that multicast is NOT the only way to do video now. Truthfully, I am seeing more stream splitting going on now for point to multi-point video and multicast is being pushed down to a protocol handler more and more. When it is used, it is used in Source Specific Mode (SSM). I do not see multicast going away now or ever really as a stare at my USB enabled Pet Rock...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol<br/>Happy Birthday to You; that'll be 30 bucks or the DMCA going to get ya! AOL Time Warner owns the copyright of "Happy birthday to you" until 2030. That's why movies often use different songs for birthday scenes. AOL Time Warner earns over $2 million per year from royalties for the song. Yowza!</p></div><!-- [DocumentBodyEnd:080ea6c2-8f5b-45da-8a15-1f72edf5d4b1] -->jimmy_ray_purserqosvideoswitchingWed, 03 Feb 2010 21:59:49 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/02/03/video-deployment-is-not-all-about-multicast2010-02-03T21:59:49Z6 years 10 months ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/video-deployment-is-not-all-about-multicasthttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1566QoS Nightmareshttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/01/22/qos-nightmares
<!-- [DocumentBodyStart:ab374903-ac2b-47aa-9921-e670874dfc0d] --><div class="jive-rendered-content"><p><span>Last week we were shooting a TechWiseTV episode on Telepresence. I refused to do this at first since there is a ton a **** out there on how cool it looks. If we do this show we have to go behind the scenes and not even show a Telepresence system until the end of the show. We did that and it turned out to easily be one of our best shows hands down. It airs in Feb if you want to check it out. </span><a class="jive-link-external-small" href="http://www.techwisetv.com" rel="nofollow" target="_blank">http://www.techwisetv.com</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>In building out the show, I was talking with our VOIP Co-Host Tina Shakour and we were sharing QoS horror stories and our conclusion is that it really takes ALOT to be more bogus then QoS. Maybe 802.1X comes close, but I'll save that for another blog....</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>And here is why;</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>When vendors talk about QoS (especially in pre-sales) they make it sound like it's a simple little toggle switch that you just throw and there you go! Kinda like enabling Dynamic ARP Inspection:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>TWTV3750e(conf)#ip arp inspection vlan 2</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Right? Ahhh...<strong>NO.</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Are you having trouble learning QoS? Don't worry, all of us do. QoS is very different per vendor, per device and even the type of QoS you use. Config'ing QoS is truthfully, not too bad <strong>IF</strong> you keep good records and trace the path of the traffic flow to make sure QoS is preserved end to end. But since we are looking at this flow on a redundant, meshed out, high speed network many issues really come into play here. Stuff like switches normally do QoS in hardware queues so they have limited space and routers normally do it software queues so space is not an issue but CPU resources are. What about wireless, VPNs, MPLS and the Internet? Toss in troubleshooting frames with a MTU size of 1522? Then decide which queuing algorithm should I use and you'll be drinkin' Newcastle before noon with the rest of us QoS geeks. Pull up a stool! Many vendors have tried to simplify the QoS config process but they just open themselves up to QnQ attacks by trusting EVERY frame and allowing clients to mark their own QoS.That is certainly not going to work ever.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Many of these things are real bummers about QoS. Cisco has made some strides in making this a little better. Features like Modular QoS is a step in the right direction <a class="jive-link-wiki-small" data-containerId="2064" data-containerType="14" data-objectId="1366" data-objectType="102" href="https://learningnetwork.cisco.com/docs/DOC-1366">https://learningnetwork.cisco.com/docs/DOC-1366</a> plus Auto-QoS is really nice for mass phone deployment. We did a show that covered Auto-QoS <a class="jive-link-external-small" href="http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns914/html_TWTV/twtv_episode_52.html" rel="nofollow" target="_blank">http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns914/html_TWTV/twtv_episode_52.html</a> Ease of use without compromising security is a very good thing.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>QoS is a PART of my job and my re-certification exams, not ALL of it!!!</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Believe it or not, the ONE thing about QoS that has just gotten tons easier is (and I can not believe I am saying this) is the management. Hear me out now. Y'all know I am very critical of NMS but I have not lost hope that a good one will come along and change the game. That prophecy is close to being fulfilled.</p><p>Out of the shadows walks Live Action from Action Packed.<a class="jive-link-external-small" href="http://actionpacked.com/" rel="nofollow" target="_blank">http://actionpacked.com/</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>This is a NMS that handles QoS like nothing else I have seen on the market today. The sick and demented minds at Action Packed have figured out a way to design a user interface that makes sense, has practical work flows based upon how I as a field engineer troubleshoot and manage a network overlayed with QoS. After talking with the folks at Action Packed, I found out that they are Star Trek lovin' Black Black gum chewing engineers like me. They also dislike NMS solutions, so they built their own to solve problems they see. Respect +3</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Now Live Action is an NMS but since it was built by engineers who know the mega bogus factor of QoS, they built out a QoS sub-system interrogator that is second to none. Sure they do stuff like combining NBAR, NetFlow, IP SLA and Running configs to produce a real time picture of your network that allows me to map out traffic flows based upon applications and QoS trust levels. But they also allow me to use my imagination to customize my networks. For example, many times, I have to build out my own PDLM's (Protocol Descriptor Language Modules) for NBAR and sure enough, Live Action not only picked it up but also mapped it out based upon it's flow and pattern of usage.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Of course like many NMS's it draws nice pictures but the thing with Live Action is the pictures are actually useful for geeks and not upper level management. They show flow direction at the interface, each interface is broke out and labeled with it's speed. Plus I have very flexible filters that allow me to peel back traffic as I need to. I put Live Action though it's paces and was nothing but major league impressed. I installed it on a desktop PC in my lab. It's got a small footprint around 78Meg and low system resource utilization. A real piece of cake to config and get going.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>So I started running various hacks, torrents and virus against my network and every single time Live Action could pick up the anomalous traffic from source to destination. Some of the traffic modeling features reminding me of the older HP Net Matrix product but much better. Plus the traffic reply feature was just icing on the cake. It allows me to see my traffic from days back and replay the entire flow. Kinda like the same feature CS-MARS has except that this one is graphical based using the same maps I use to view real time traffic. Make sure you have a good size hard drive to store this data well into the future.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Here the bottom line; Live Action is not a port of Fully Automated Nagios or MRTG. It is a fresh new build approach to NMS. If you run or need to run QoS on your network, I could not possibly give any other product for QoS management a higher recommendation then Live Action. This product is so good that you can actually teach yourself QoS on the fly just by simply using it. You can download a full feature free various that supports three devices at:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><a class="jive-link-external-small" href="http://www.actionpacked.com/freeflow" rel="nofollow" target="_blank">http://www.actionpacked.com/freeflow</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>or take a look at the fee based one at</p><p><a class="jive-link-external-small" href="http://www.actionpacked.com/" rel="nofollow" target="_blank">http://www.actionpacked.com</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I'm off to config a MPLS network today, which I hope is close to a Popeye's chicken....</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol<br/> The winner of the first recorded Olympic Game in 776 BC was a baker from Eleia, Coroebus of Elis. Instead Gold he got an olive branch</p></div><!-- [DocumentBodyEnd:ab374903-ac2b-47aa-9921-e670874dfc0d] -->jimmy_ray_purservoicewirelesstroubleshootingqosFri, 22 Jan 2010 16:12:36 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/01/22/qos-nightmares2010-01-22T16:12:36Z6 years 11 months ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/qos-nightmareshttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1552When A Firewall Is Just Not Enoughhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/01/08/when-a-firewall-is-just-not-enough
<!-- [DocumentBodyStart:2e790b0f-a32f-4db5-a9e4-fb732bd8827c] --><div class="jive-rendered-content"><p>Trying to keep up with all of the possible attack vectors and decreasing your attack surface is like trying to eat Minute Rice with chop sticks. It's a full time job! I used to blame a lot of attacks on PHP because it deserves it. I think PHP sucks at recursion and I just do not believe the threads are safe at all.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>But truth be told...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>SQL injections have really been beating me to death lately and on the flip side, I have been using them against targets for pen testing like a frat boy pounding 'um down on nickle beer night. SQL injections are fast becoming the preferred remote access method for hackers today.</p><p>Basically, a SQL injection is kinda like telling your manager wrong information to get correct info. For example;</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Dude 1:</strong> "Hey man, I heard that Hank got promoted to Director"<br/> <strong>Manager: </strong>"What! I was just told by the VP he is getting demoted"</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Vanity it's my favorite sin....</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>A SQL injection is the same thing but instead of vanity or jealousy it's called lack of input validation. Let's say I want to know a username and password to log in to the DB. How about just telling the SQL server to ignore the password? You can try this SQL injection 101 string query:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>$sql_query = "select * from users where user='admin' or '1'='1' and password='$pass'"</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Now, this is very old school and taught to budding hackers before you learn the secret handshake to the clubhouse. Since SQL injections are using the SQL query language to mine tables, a hackers combination here in nearly endless. <a class="jive-link-external-small" href="http://www.1keydata.com/sql/sql.html" rel="nofollow" target="_blank">http://www.1keydata.com/sql/sql.html</a> and of course a playground <a class="jive-link-external-small" href="http://ha.ckers.org/sqlinjection/" rel="nofollow" target="_blank">http://ha.ckers.org/sqlinjection/</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>You know that little "I forgot my password" email applet? That info all is stored on a SQL server record somewhere, and just possibly, I can get the SQL to email me the username and password of an account I know about:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>SELECT email, passwd, login_id, full_name<br/> FROM members<br/> WHERE email = 'x';<br/> UPDATE members<br/><span> SET email = </span><a class="jive-link-email-small" href="mailto:'jimmyray@twtv.nu">'jimmyray@twtv.nu</a><span>'</span><br/><span> WHERE email = </span><a class="jive-link-email-small" href="mailto:'robb@dallas.com">'robb@dallas.com</a><span>';</span></p><p>The result:</p><p>From:<a class="jive-link-email-small" href="mailto:majordomo@dallas.com">majordomo@dallas.com</a><br/> To:<a class="jive-link-email-small" href="mailto:jimmyray@twtv.nu">jimmyray@twtv.nu</a><br/> Subject: Account Information</p><p>Please do not reply. This automated email is in response to your request for your site log in information.<br/> Your User ID is: robb<br/> Your password is: twtv</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Much simpler and ninja like then running complicated INSERT queries. So what's a geek to do? SQL DB's are just a part of our normal routine. Honestly, many firewalls just **** at preventing and detecting SQL injections. Not a fault of the vendor, since these queries are legal and a result of misconfiguration by the DBA. Up until now, my answer has to use SNORT to try and detect these but recently I started testing a great open source SQL firewall; GreenSQL. <a class="jive-link-external-small" href="http://www.greensql.net/" rel="nofollow" target="_blank">http://www.greensql.net/</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I started using GreenSQL on my Ubu 9.04 server. Set up is a real piece of cake BUT before you get started make sure you have the follow packages installed and ready:</p><p><strong>- libevent<br/> - pcre<br/> - mysql client</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Then I just install two packages to get GreenSQL up and going:<br/> <strong>sudo dpkg -i greensql-fw.deb</strong><br/> the console does not come in a package so brush off your tar skills:<br/> <strong>- greensql-console-0.x.x-tar.gz </strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I did have a connectivity problem at the start trying to access the MySQL server via 127.0.0.1 when it was expecting a connection from localhost. I looked in the forums and found the GreenSQL does NOT use the localhost socket but uses 127.0.0.1 instead, so I just adding access permissions with the SQL query:</p><p><strong>mysql&gt; GRANT SELECT,INSERT,UPDATE,DELETE ON Pika.* TO 'jimmyray.twtv'@'127.0.0.1' IDENTIFIED BY 'PASSWORD';</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Then is fired right up. How did it work? Better then doughballs and liver for catfish! I was able to defend against not only the above attacks but against 100 other automated SQL injections I threw at that dude!! GreenSQL is a great database firewall for MySQL in my opinion and it pairs VERY nicely with the ASA. I will certainly be deploying them together on my networks. Don't leave your DB to just a plain ole circuit level firewall. Go out and give this prog a look and start testing it in your labs. Hey speaking of catfish, I think I am ready to bag this work day and get my fishing gear ready....for July...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia Files Transfer Protocol<br/> Old school spammer; In 1915 William Wrigley Jr. Sent chewing gum to everyone in the phone book.</p></div><!-- [DocumentBodyEnd:2e790b0f-a32f-4db5-a9e4-fb732bd8827c] -->asajimmy_ray_pursernetworkingsqlsecurityFri, 08 Jan 2010 16:05:49 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2010/01/08/when-a-firewall-is-just-not-enough2010-01-08T16:05:49Z6 years 11 months ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/when-a-firewall-is-just-not-enoughhttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=15419 Cool Geek Tipshttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/12/17/9-cool-geek-tips
<!-- [DocumentBodyStart:4feb5ca4-831f-4ec2-aa95-8ea449734757] --><div class="jive-rendered-content"><p><span>There are more list out there today then Sushi bars in California. Things like Top 10 Best Hacking Tools or Top 10 Ways to take down Super Mutants in Fallout 3. I have wrote many of these type of list myself and certainly have read even more. In the world of networking, many times the answer to a problem is, "It Depends" For me, lists help shorten that, dreaded it depends answer. And truthfully, if I can use a obscure tip to solve a problem, my alpha geek score goes up +24. When I sat down to write this blog, I thought I would write about tips I use so often, that they are stored in NVRAM and called from the buffer easily. This is not a list based upon a weighted value but just stuff I have picked up along the way to make my IT life easier and increase my fishing and Newcastle time. But if you really dig just lists of great info it is really hard to beat ListVerse at </span><a class="jive-link-external-small" href="http://listverse.com" rel="nofollow" target="_blank">http://listverse.com</a><span> they are on my RSS reader and they also have a great Lists book out that is a lot of fun. Now on to the Geek List!</span></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x01:</strong> My lab is in my basement. Many times I need to send out a SMS but my cell phone has no connectivity in this hole and yes I am too lazy to walk upstairs. No problem! I just send an SMS via my email account. Lets say I need to send an SMS to someone on Sprint. On the TO: line I type thier phone number and the provider domain name:<a class="jive-link-email-small" href="mailto:1235551212@messaging.sprintpcs.com">1235551212@messaging.sprintpcs.com</a><br/> How cool is that! Here is a list of providers I use all the time:<br/> - Sprint: &lt;10 Digit Cell Number&gt;@messaging.sprintpcs.com<br/> - Nextel: &lt;10 Digit Cell Number&gt;@messaging.nextel.com<br/> - AT&amp;T: &lt;10 Digit Cell Number&gt;@txt.att.net<br/> - U.S. Cell: &lt;10 Digit Cell Number&gt;@email.uscc.net<br/> - Verizon: &lt;10 Digit Cell Number&gt;@vtext.com</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x02:</strong> Vista Auto Tuning sucks. I only have a few Vista machines I use in my lab, but it is clear real fast that the auto tuning feature makes the Internet connection slow down big time. I tune it off with the CLI command:<br/> - "netsh interface tcp set global autotuning=disabled"<br/> Verify it is off with the CLI command:<br/> - "netsh interface tcp show global" check for the line that reads, "Receive Window Auto-Tuning Level" and make sure it says disabled.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x03:</strong> Here in my lab, I am rebuilding images all the time. A little Linux trick I learned at a user group meeting was to make sure I have /home in a separate partition. This simple but powerful trick allows me to reinstall the system or even change the entire distro without losing my data and personal settings. Just keep the "/home" partition intact and reinstall whatever I need to on "/".</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x04:</strong> Making directory trees in with one command. I was taught this trick by a scripting genius here at Cisco. This how I used to make directory trees in Linux:<br/> $ mkdir tmp<br/> $ cd tmp<br/> /tmp $ mkdir a<br/> /tmp $ cd a<br/> /tmp/a $ mkdir b<br/> /tmp/a $ cd b<br/> /tmp/a/b/ $ mkdir c<br/> /tmp/a/b/ $ cd c<br/> /tmp/a/b/c $<br/> Whole lotta typin' going on there. How about increasing your geek status and do this same thing with a small tweak...add the -p.<br/> $ mkdir -p tmp/a/b/c<br/> The BEST part of this is, now I can script out complex directory trees with a command like this:<br/> $ mkdir -p project/{lib/ext,bin,src,doc/{html,info,pdf},demo/stat/a}</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x05:</strong> Seems like every time I boot up my Mac, I have another iTunes update waiting for me. One of the features I miss in iTunes 6 was the master playlist. All of the songs in my entire library were in one list. This great when I am outside mowing the yard and just want a ton of tunage. Here is a simple way to get that list back. Shutdown iTunes, Go to the terminal app and enter:<br/> $ defaults write com.apple.iTunes show-library-playlist -bool TRUE<br/> $ defaults write com.apple.iTunes hide-library-playlist -bool FALSE<br/> Now open iTunes and there it is!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x06:</strong> Finding resources with StumbleUpon. Stumble is a great tool for finding info on the Internet/Deep Web that interest you. Different then algorithm based engines like Google, A9, Yahoo, etc...StumbleUpon is people powered by is user groups and is more of a web harvester. I have found many great security sites simply by stumbling across them. <a class="jive-link-external-small" href="http://www.stumbleupon.com/" rel="nofollow" target="_blank">http://www.stumbleupon.com/</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x07:</strong> Simplify your Snort signature writing time with Nebula. I run Honeypots here in my lab and other places to gather info on various attacks. The problem is correlation. I started using the program Nebula to do a first pass at writing my Snort sigs. I run it as a daemon and it takes the output from Honeytrap and spits out a sig in seconds! Works great and is a real time saver. Take a look at: <a class="jive-link-external-small" href="http://nebula.mwcollect.org/" rel="nofollow" target="_blank">http://nebula.mwcollect.org/</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x08:</strong> Heading into a boring meeting? Nothing like a shot of humor to pick you and go ya going. Here are a few on my favs:<br/> <a class="jive-link-external-small" href="http://www.safenow.org/" rel="nofollow" target="_blank">http://www.safenow.org/</a><br/> <a class="jive-link-external-small" href="http://diy.despair.com/motivator.php" rel="nofollow" target="_blank">http://diy.despair.com/motivator.php</a><br/> <a class="jive-link-external-small" href="http://www.murphys-laws.com/murphy/murphy-technology.html" rel="nofollow" target="_blank">http://www.murphys-laws.com/murphy/murphy-technology.html</a><br/> <a class="jive-link-external-small" href="http://www.break.com/" rel="nofollow" target="_blank">http://www.break.com</a><br/> <a class="jive-link-external-small" href="http://www.boreme.com/" rel="nofollow" target="_blank">http://www.boreme.com/</a><br/> <a class="jive-link-external-small" href="http://www.theonion.com/" rel="nofollow" target="_blank">http://www.theonion.com</a></p><p><a class="jive-link-external-small" href="http://artofmanliness.com" rel="nofollow" target="_blank">http://artofmanliness.com</a></p><p><a class="jive-link-external-small" href="http://www.cracked.com" rel="nofollow" target="_blank">http://www.cracked.com</a></p><p><br/> <a class="jive-link-external-small" href="http://www.icn.tv/" rel="nofollow" target="_blank">http://www.icn.tv/</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>Tip 00x09:</strong> Default passwords. Many times, folks just leave the default password on gear and never change it. But there is so much gear out there plus all of the OEM partnerships between vendors how do you keep track it all? Kiss it simple: <a class="jive-link-external-small" href="http://artofhacking.com/etc/passwd.htm" rel="nofollow" target="_blank">http://artofhacking.com/etc/passwd.htm</a></p><p>Only nine tips?? What gives Jimmy Ray? The 10th tip is something we should always be sharing with each other. I am hoping that you will share your 10th tip on this blog! Do you have a timesaver, shortcut or just something cool? Man up!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol</p><p>Rudolph step aside. Santa has a different traveling buddy in Austria and Germany. His name is krampus and he beats people with sticks. The story of the krampus has been used for centuries to frighten children into behaving before Christmas. ******* **** man! Merry Christmas...whack!</p></div><!-- [DocumentBodyEnd:4feb5ca4-831f-4ec2-aa95-8ea449734757] -->jimmy_ray_pursernetworkingtroubleshootingswitchingsecurityThu, 17 Dec 2009 15:34:41 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/12/17/9-cool-geek-tips2009-12-17T15:34:41Z6 years 12 months ago10https://learningnetwork.cisco.com/blogs/network-sheriff/comment/9-cool-geek-tipshttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1534Klaatu Barada Niktohttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/12/04/klaatu-barada-nikto
<!-- [DocumentBodyStart:39611879-1227-4fe2-9694-4cd6eda8104c] --><div class="jive-rendered-content"><p>Talking smack and messin' around with folks off. These are a few of my favorite things - in a good way, of course! Not a type "A" win-at-all-cost jag-off like the folks you want to punch right square in the face at a sporting event. For me it's to bring out the competitive spirit and comradeship between friends. This is most likely why I am drawn to fishing so much. Challenging each other, to see who gets to take the walk of glory vs. the walk of shame back to the truck, is always a good time.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>So here I am on a conference call with a few of the Dudes in my hacking circle and we are all laying it down thick and heavy to each other, playing "Can you top this?" So of course a challenge ensued: "Break up into teams of two and see how many servers (of each other's) we can compromise." Sounds fair and fun right? Oh no, not for me, 'cause, you see, I am an idiot. I just have to push it just a bit more.</p><p>So I say, "If you can break into my server and capture my flag, I will send you out a Wisconsin Kringle from <a class="jive-link-external-small" href="http://www.ohdanishbakery.com/" rel="nofollow" target="_blank">O&amp;H Bakery</a> and I will wear a dress on the next episode of TechWiseTV."</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Yeah, that's right. I am moron.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I went about config'ing and hardening up my server to get ready for the contest. The rules are simple. It needs to be on the Internet, needs to be a Web server, we have 72 hours to config it and 72 hours to git 'er done! I started running some pen tests and it looked good, but pen testing your own stuff is like proofreading your own blog. I needed something else that was more automated. I tried Nessus, Paros and WebScarab and they did indeed catch some stuff. I was feeling OK, but I just felt I was missing something. I did not know what, but I was going to deploy the server.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Now I am a fan of crappy sci-fi movies, so I had the Robert Wise classic "The Day the Earth Stood Still" playing in the background and starting thinking about the 1974 album cover of Goodnight Vienna with Ringo Starr wearing a spacesuit saying "Klaatu Barada Nikto." Laughing to myself, I thought, yeah that al...***... wait... Nikto! That's it! How did I overlook that awesome tool?</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Nikto is an excellent Web scanner that for some unknown reason I totally forgot about - oh right, see paragraph four. Anyway, I went <a class="jive-link-external-small" href="http://cirt.net/nikto2" rel="nofollow" target="_blank">here</a> to download and make this prog. Nikto is built on LibWhisker and will run on any machine with Perl installed. I will be using my Ubuntu machine to get this Dude up and going on. To get it going you need to preinstall a few modules:<br/> - <a class="jive-link-external-small" href="http://www.cpan.org/" rel="nofollow" target="_blank">PERL and Net_SSLeay</a><br/> - <a class="jive-link-external-small" href="http://www.wiretrip.net/" rel="nofollow" target="_blank">LibWhisker</a></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Then a simple sudo apt-get command grabs this 264K file and it is ready to go:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>sudo apt-get install nikto</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Running it is really just as simple. My server IP was 192.168.1.22 so to get it started I just entered:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>./nikto -h 192.168.1.22</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Nikto starts to run a bunch of tests against the Web server and then prints the results to the terminal. Sure enough, Nikto found a hole that I know would have bit me in the tail:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>+OSVDB-877: TRACE /: TRACE option appears to allow XSS...</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I also used the -mutate option to actively look and try to exploit for other weaknesses. I had success again with test 4:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>enumerating users via /cgi-bin/cgiwrap/~user</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Nikto is a fantastic tool that can take input from NMAP to scan multiple servers (kinda slow though), and there is a prebuilt NASL plug-in for Nessus as well to extend Nikto. I also used Nikto Evasion mode to put the LibWhisker module to work and actually slipped through an IDS and grabbed a flag. What a fantastic tool this is!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>As for the contest? Well, we didn't win - but we didn't lose either. So Lane Bryant won't see me in their shop this time - oh wait, I mean "ever"! That's what I meant, "ever"!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol</p><p>Hello wasn&#8217;t always the first thing people said when they answered the phone. After the first proper phone service was started in the US in 1878, people said &#8220;Ahoy&rdquo;.</p></div><!-- [DocumentBodyEnd:39611879-1227-4fe2-9694-4cd6eda8104c] -->jimmy_ray_pursersecuritynetworkingpen_testingFri, 04 Dec 2009 21:37:04 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/12/04/klaatu-barada-nikto2009-12-04T21:37:04Z7 years 5 days ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/klaatu-barada-niktohttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1521How to make IDS actually IDShttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/11/20/how-to-make-ids-actually-ids
<!-- [DocumentBodyStart:b7e0b25d-7017-48b2-9c1c-318224485345] --><div class="jive-rendered-content"><p>I have never been a fan of fishing with plastic worms. Not because it's a real worm Vs fake worm purest argument, heck I've fished with TNT before as a kid. Now that's a real hoot! It's because I have never ever caught a single thing with them. To me, they are ineffective and a waste of time/money. I have folks agrue with me all the time how wrong I am about plastics, yet when I go out with to fish, they never catch anything. Logical conclusion: Plastics blow.</p><p>That is how I feel about Intrusion Detection/Prevention. IDS is the plastic worm of network security devices in today's more advanced botnet orientated world. The marketing for both plastic worms and IDS is close to the same:</p><p><br/> - Looks Lifelike::Real World Based Signatures<br/> - 400x Scent dispersion::Lower False Positives<br/> - Recommended by Top Anglers::Some vendors paid off "third party" Certified and Tested<br/> - Money Back if not satisfied::......</p><p><br/> I use an IDS node cluster for research and it works great for that. But what use is that data for a campus LAN? I use it to increase my knowledge and help the fight against bots world wide. I do not see Enis the accountant or Hank the server admin pumping out C code for a fix. Although, I admit it is great to use this data to pump out shellcode from Nebula for Snort sigs. But that is IDS. Now, if a device is a TRUE IPS and it will take action in either shunting an attack or reconfig'ing a firewall then we have a tool that is useful in the campus LAN. The difference here is active vs. passive.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>The single biggest mistake I see in IPS deployment is traffic flow engineering. Many folks get these shiny new IPS devices in and they either:<br/> - Config them like servers<br/> or<br/> - Config them like switches/routers</p><p><br/> An IPS device is config'ed different then any other piece of gear on the network. It is not just another 1U appliance to make mid level managers happy. A IPS needs to be placed inline to traffic flow. Now any engineer worth their salt is going to design a network to withstand a failure from inline gear. Most inline appliances have hard drives that are prone to failure. Heck I have replaced three in my laptop already. A inline failure stops traffic flow and increases resume flow. Not cool at all.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>So normally, we install two of these devices with channelized links to withstand multiple failures.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>That is the problem.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Traffic flow thru an IPS MUST flow symmetrically thru an IPS and NOT asymmetrically. An IPS has to see both sides of a conversation to be effective. Truthfully, many folks install an IPS and never touch it again because of the high false positive rate. They hate it and think it sucks and classify it as the plastic worm in the network. Recently, I have visited many customer sites that classified conficker as a false positive because of their asymmetric traffic flow missed the command and control connection to the bot.</p><p>IPS must be looked at from the traffic's port of view to be an effective piece of equipment. If not, you are just wasting your time and money putzing around with it.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>When I install a IPS cluster I normally do the following steps:<br/> - Break the network up into to VRF insistences per IPS. (assuming this is a switchblock designed L3 network) Half on one side and half on the other per IPS. This allows me to group my VLANs into a single manageable group for traffic flow engineering.<br/> - I use a separate switch to connect my multiple IPS links into. In a channelized link, traffic flow is determined by source-destination information. That info is hashed into an XOR type of algorithm to determine which link traffic should flow down. This is determined at each switch end. The switch in the middle helps keep this algorithm the same so traffic flow is consistent and BOTH sides of the conversation flow to the correct IPS.<br/> - Before deployment, I double check the switch algorithm with the IOS command:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>TWTVSwitch#test etherchannel load-balance interface port-channel 4 ip 172.16.2.2 172.24.3.3<br/> Computed RBH: 0x1<br/> Would select Gi2/22 of Po4</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>This lets me dry run what my traffic flow will be before it ever hits the IPS to ensure I am seeing both sides of a conversation between hosts. I have been doing this little design trick for quite sometime now and it has decreased the false positive rate and increased IPS accuracy big time. Also, I need to give a huge shout out to the Cisco SAFE team that has published this and other great ideas in the brand new and minty fresh Safev2 documentation at <a class="jive-link-external-small" href="http://www.cisco.com/go/safe" rel="nofollow" target="_blank">http://www.cisco.com/go/safe</a> This will certainly turn any IPS from a plastic worm to a Rapala X-Rap in no time flat!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol<br/> Dr. Suess' editor Bennett Cerf challenged him to write a book that could use no more then 50 words or less. Suess took that challenge and wrote the book; "Green Eggs and Ham" Which uses exactly 50 words: a, am, and, anywhere, are, be, boat, box, car, could, dark, do, eat, eggs, fox, goat, good, green, ham, here, house, I, if, in, let, like, may, me, mouse, not, on, or, rain, Sam, say, see, so, thank, that, the, them, there, they, train, tree, try, will, with, would, you.</p></div><!-- [DocumentBodyEnd:b7e0b25d-7017-48b2-9c1c-318224485345] -->switchingsecurityjimmy_ray_pursernetworkingFri, 20 Nov 2009 14:21:55 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/11/20/how-to-make-ids-actually-ids2009-11-20T14:21:55Z7 years 3 weeks ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/how-to-make-ids-actually-idshttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1513Geek Salute to Veteranshttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/11/11/geek-salute-to-veterans
<!-- [DocumentBodyStart:7a817205-31a7-42ad-b36d-19f1b55d828c] --><div class="jive-rendered-content"><p><strong>TWTV2811&gt;en<br/> TWTV2811#conf t<br/> TWTV2811(conf)#banner exec #</strong><br/> Happy Veterans Day to all military personnel that have served and that are currently serving. Your service and dedication to the United States of America is greatly admired. While I sit here in my lab using the skills that I learned in the United States Navy to feed my mind and my family, I think about all the friends I have made in the military and how incredible it felt to put on the uniform. I think about how the Star Spangled Banner was a nifty tune set to the drinking song, "An Anacreron to Heaven" until I was in the military and now it is the only song that still brings tears to my ears. When it plays I am transported back and think about all the Veterans that gave it all. All the tables that will have an empty chair over the holiday season. I remember pulling into ports with the Battlegroup Alpha, the flag of the United States flapping in the wind with the sound of Persian Gulf slapping against the gunwhales of the ship. It is like nothing I have ever felt, just amazing. All this time I have been from Tennessee until I went overseas and then I found out, I was an American and it is a big deal. Today, we use the term "hero" all to loosely. Someone makes a basket and drives off in a Ferrari is paraded out as a hero. To the Veterans that had made a decision to serve, and put it all on the line and totally changed their lifestyle for little pay, you are my heroes and have my absolute deepest respect and gratitude.<br/> Fair Winds and Following Seas.... oh yeah... and <strong>GO NAVY!</strong><br/> #<br/> <strong>TWTV2811(conf)#do wr mem</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transport Protocol<br/> Bad to the Bone could have been wrote about Sgt. Thomas Baker. When his troops were withdrawing, Sgt. Baker badly injured refused, insisting that he be left alone to fight off a wave a 5000 enemy soldiers to give his troops time to escape. He requested a soldier's pistol with its remaining eight rounds of ammunition. When last seen alive, Sgt. Baker was propped against a tree, pistol in hand, calmly facing the foe. Later Sgt. Baker's body was found in the same position, gun empty, with eight enemy soldiers lying dead before him.</p></div><!-- [DocumentBodyEnd:7a817205-31a7-42ad-b36d-19f1b55d828c] -->jimmy_ray_pursercareersWed, 11 Nov 2009 14:44:09 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/11/11/geek-salute-to-veterans2009-11-11T14:44:09Z7 years 1 month ago10https://learningnetwork.cisco.com/blogs/network-sheriff/comment/geek-salute-to-veteranshttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1504Protocol Hacking 101https://learningnetwork.cisco.com/blogs/network-sheriff/2009/10/30/protocol-hacking-101
<!-- [DocumentBodyStart:5cd65739-b8ff-4415-8235-2eadb3ad64ce] --><div class="jive-rendered-content"><p>I was conducting a hacking 101 security training session at a users group meeting about a month ago. After some Newcastle and Pizza (mando requirement in my sessions) I had went over a common character overflow limit on a Solaris box I discovered a while back when a skinny dude (for Wisconsin) stood up and said, "How did you figure that out?" I told him that I fuzzed it. At that point, the entire talk shifted from running canned exploits to finding your own via fuzzing. I loved it! A 90 minute presentation went on for over three hours. A new group of Fuzz Warriors were forged that cold day in the tundra of Wisconsin.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Fuzzing is the core of most 0day exploits. Not too many folks actually open up a process and then hit 128 "n's" to crash an application or bug out the stack or even go thru source code line by line (if it is available). Plus, with so many Star Trek episodes on now, who wants to do that? Most of us let software do it for us. Whether that is thru reversing binaries or fuzzing it is a way for us security type folks to check out the code at a deeper level. "NaNaNaNaNaNaNaNa Be the code" Caddy Shack 1 fans can I get a witness!!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Let's lay down a little background here. Fuzzing is the art of feeding a bunch of random **** (You know kinda like the same thing many Analyst do to us only more credible/useful )to a program or protocol to crash it and analyze the results. This is why many vendors want your crash data. It is ULTRA important! A crash tells a code jockey so much about a program. It can also tell a hacker even more... By crashing a program/protocol we can find a possible bug and write a patch or exploit to take advantage of this. Like nearly everything in networking, fuzzing is broken down into specialties. When I say the word specialties I always hear Obi Won Kenobi say "Sith Lords are our speci-E-al-ity" In Star Wars III which is an excellent flick to having playing in the background while your fuzzin'</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Anyway...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>There are Web Fuzzers, Protocol fuzzers, Embedded fuzzers, naval lint fuzzers, etc. I will be focusing on protocol fuzzing. Mainly because I write most of my code in C. Also IA32 Assembly when I need to prepare for a visit from my inlaws to get used to the monotony. Truthfully I read much more Assembly then I ever write...thank goodness. My favorite fuzzer is from Immunity and it is really more of a framework for building a custom fuzzer thru a massive API library. It is called SPIKE, its free and the tarball can be downloaded at <a class="jive-link-external-small" href="http://www.immunityinc.com/" rel="nofollow" target="_blank">http://www.immunityinc.com</a> It only runs on Linux. Spike is a great program but the downside is the documentation sucks. For example, I had a few problems getting it installed but quick error search on Google brought me to Rajat Swarup's blog with the answer. <a class="jive-link-external-small" href="http://rajatswarup.blogspot.com/2008/04/spike-fuzzer-linker-errors.html" rel="nofollow" target="_blank">http://rajatswarup.blogspot.com/2008/04/spike-fuzzer-linker-errors.html</a> However, in Spike's defense it comes with many examples and if you are comfortable in C it's template based design really make it a snap to use. Plus Immunity really reaches out to advance the security community immensely. One of their top code jockeys Dave Aitel is always writing up something or speaking about it somewhere. Don't pass up a chance to hear Dave Aitel speak.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Spike is known as a block mode fuzzer which is the best for protocols since it will treat each block of a protocol differently like headers, Checksums, etc. The trick to fuzzing is do not try and reinvent the wheel. Google out to see what other folks know about your target protocol. I always check the Wireshark dissectors directory and search for my protocol to see if a decoder exists. That will really shortcut the process by giving you a ready reference. Start out small with frames from ARP to get used to the process. Then work on your differential analysis skills by fuzzing a pre-2006 VTP frame and then a current VTP frame and look at the differences. If you ever have wanted to work in a research lab or have, then you'll know that a consistently repeatable process is a positive hit. One hit is not a positive. 100+ hits doing the same thing with other like frame samples is. The more comfortable you get in doing this, the more you will tackle more advanced protocols by just loading your frame samples from scratch.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>But some protocols, well...just **** to fuzz and require different types of fuzzers when all results fail. For example, I started out trying to fuzz LLDP (Link Layer Discovery Protocol) but I had a major problem with TLV's (Type Length Variables) handling in Spike. The TLV's in LLDP are odd and my thought is there must be something I can use in there. Although I have heard that the fuzzer; Sulley <a class="jive-link-external-small" href="http://code.google.com/p/sulley/" rel="nofollow" target="_blank">http://code.google.com/p/sulley/</a> does a good job at it. I just have not tested Sulley yet, but many fuzzers swear by it. There is a canned LLDP fuzzer out there already with good documentation but it is old and I was just looking for some...other things that I am sure are there in the source code...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Fuzzing is a great way to get closer to the protocol by running a huge battery of test conditions against many parts of a protocol. To be honest I can not think of a single method that gives you so much valuable information Vs. the set up time quite like fuzzing. Do it once, become a believer for life. I have found many vulns in protocols just by simply loading frames into a Spike templete using s_binary and s_string and letting it run to look for that golden EIP and EBP (Instruction Pointer/Stack Pointer) to be overwrote! It honestly still gives me goosebumps and I cheer like the Colts just beat the Packers! (Hey it can happen!) To be comfortable in fuzzing you should understand C programming to know what you are looking at. I also highly recommend the book; Fuzzing by Addison Wesley Press <a class="jive-link-external-small" href="http://www.fuzzing.org/" rel="nofollow" target="_blank">http://www.fuzzing.org</a> as a fantastic way to get into this awesome field of research.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol<br/> It's possible to have $1.19 and still be unable to make change for a dollar. (50 cent piece, Quarter, x4 dimes and x4 pennies)</p></div><!-- [DocumentBodyEnd:5cd65739-b8ff-4415-8235-2eadb3ad64ce] -->jimmy_ray_purserhackingtroubleshootingtechwisetvroutingFri, 30 Oct 2009 20:08:42 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/10/30/protocol-hacking-1012009-10-30T20:08:42Z7 years 1 month ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/protocol-hacking-101https://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1496The Return of Wardailinghttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/10/22/the-return-of-wardailing
<!-- [DocumentBodyStart:8ed9ab18-66bf-4bc3-838f-33a6979245db] --><div class="jive-rendered-content"><p>The more things change the more they seem to stay the same. I have been working on a few Bluetooth 2.1 hacks for the past couple of days and in the end, I thought that while they worked they weren't very interesting. The time-effort::benefit ratio was more slanted towards the time-effort side of the house. Kinda like finding a security hole in Token Ring today.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Long before Tone-Loc was a one hit wonder and bit player in The Adventures of Ford Fairlane, Tone Loc was a seriously cool War Dialer that would give folks like me a good picture of a internal phone system. I could find fax machines, carriers, busy tones, voice, etc... I do not use ole Tone Loc anymore or THC but that's another story. On the rare case that I have to use a modem sweeper it's mainly for pen testing SCADA systems and very large enterprise companies. I have switched to TeleSweep from Secure Logix for that task. You can find that tool here: <a class="jive-link-external-small" href="http://www.securelogix.com/modemscanner/tss_agreement1.htm" rel="nofollow" target="_blank">http://www.securelogix.com/modemscanner/tss_agreement1.htm</a> after an email verified download...grr... But it runs on Windows and is a stable build.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>One of the Top security Dudes in the world today is H.D. Moore. H.D. is the inventor of one the most awesome security tools out there today; Metasploit,&nbsp; He is kinda like that old EF Hutton commercial so when he came out with a War Dialer of all products many folks took notice.As a side note; Metasploit just recently sold to Rapid7. HD Moore twittered me today and told me the Rapid7 WILL NOT do to Metasploit what Symantic did to l0phtCrack. Especially, since he is still the Chief Designer. I need to remember to write him in for United States President in a couple of years...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Anyway...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>After the Telecommunications Consumer Protection Act of 2003 made it illegal to "dial for tone" war dialing died off. It is really considered old school...by security auditors and paid pen testers. Hackers have not forgotten about it at all. Matter of fact, when it comes to VOIP break ins/hacks it's toll jacking that is the number one hack on VOIP not eavesdropping as many of us worry about.But honestly speaking, it's the eavesdropping demos that cause purchase orders to fall out of pockets. So that is what you see but the reality is much different.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I started messing around with Warvox on my Back Track 4 hacktop. I downloaded it from <a class="jive-link-external-small" href="http://warvox.org/install.html" rel="nofollow" target="_blank">http://warvox.org/install.html</a> and of course like a real goober, I started an MAKE without checking the dependencies and got a screen full of errors. So make sure install Ruby FIRST. I just used the command:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong>sudo apt-get install build-essential libiaxclient-dev sox lame ruby rake rubygems libsqlite3-ruby gnuplot</strong></p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>After RTM...I noticed that H.D. recommends installing Mongrel to speed up Warvox. I decided not to do this to see how much of a difference it really made! Bad choice. It makes a huge difference so install it BEFORE you install Warvox. Once the install is completed you get a cool install complete screen with all of the available modules at your fingertips. Feel the power coursing thru your fingertips!!! Evil Laugh Time!! Muuuahhhahhahahahaha!!!!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Just start the service with the command:<strong> ./warvox.rb </strong>Then in typical H.D. Moore fashion open you browser and go to:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p><strong><a class="jive-link-external-small" href="http://local/" rel="nofollow" target="_blank">http://local</a> host:7777</strong></p><p>U:admin P:warvox</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>of course defaults can be changed by editing warvox.conf I just added in my provider info (Vitelity) <a class="jive-link-external-small" href="http://www.vitelity.net/" rel="nofollow" target="_blank">http://www.vitelity.net/</a> and started testing my systems.</p><p>Warvox was very fast and worked like a champ. I found a couple of HVAC modems I did not know we even had! The part of Warvox that impressed me the most was it's ability to detect a fax machine from a modem. Some really good phrackers can determine this by ear. I ain't one of them. Too much Skynyrd blasting in my young goober days. Heck, I can not tell the difference between my wife and my daughter when I call home.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>A fax machine is 2100hz+1625hz where a modem is 2250hz+1625hz, so the tones are really tight. Warvox has a customized module called Ruby-KissFFT that is really more of a software spectrum analyzer and it does a great job at detecting this. It detected every one of mine.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I have to admit that I do get nostalgic for the old Tone Loc maps but hey, Warvox is one great tool to either learn war dialing on or just brush the dust off of some older skills. War Dialing is still a fantastic method of pen testing your own networks to find holes, vulns and that hidden modem on your network.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol<br/> Seems like all famous swords have names. King Arthur's Excalibur is an easy one but there is also Julius Caeser's Yellow Death, Charlemagne's Joyeuse and El Cid's Tizona which is the only one that still exists.</p></div><!-- [DocumentBodyEnd:8ed9ab18-66bf-4bc3-838f-33a6979245db] -->securityjimmy_ray_purserhackingvoiceThu, 22 Oct 2009 20:22:12 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/10/22/the-return-of-wardailing2009-10-22T20:22:12Z7 years 2 months ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/the-return-of-wardailinghttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1485JTAG Hacking is FUN!https://learningnetwork.cisco.com/blogs/network-sheriff/2009/10/16/jtag-hacking-is-fun
<!-- [DocumentBodyStart:411b931e-198c-4bbf-af5d-7399d2bb11f6] --><div class="jive-rendered-content"><p>One of my neighbors knocked on the door yesterday. I figured he wanted to borrow some tools or wanted me to fix his computer because he came over with a six'er of Newcastle. I think Dr. "Bones" McCoy said on Star Trek IV, "Beware of Romulans bearing gifts..." And English Ale beats the **** out of Romulan Ale any day! Come on in!!! Turns out, he was updating the firmware in his home router and accidentally kicked the power cord out of the router in the middle of an update. Can anything be done? I stalled for time until the last Newcastle was gone and then said maybe we can JTAG it.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>JTAG is actually a test point on a circuit board. It is a IEEE standard (IEEE 1149 Standard Test Access Port and Boundary Scan Architecture) that came about as a way to test circuit boards when we went to a multi-layer board design. This testing has evolved into a way to debug code, backdoor into a system and upload/download code in the NVRAM space. The cool thing about the standard is that it is designed to give you access to all chips on a board thru a single JTAG point by simply daisy chaining control lines. I started working JTAGs in my ASIC days when I was coding up Complex Programmable Logic Devices (CPLD's) and Field Programmable Gate Array (FPGA's). They are not that tough to understand if you take it slow. A great resource is <a class="jive-link-external-small" href="http://www.asset-intertech.com/products/free_resources.htm" rel="nofollow" target="_blank">http://www.asset-intertech.com/products/free_resources.htm</a> They have videos,papers,etc to get ya going.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>When equipment is trashed, this is no risk hacking. When I want to work on the JTAG ports, I use a device called a Wiggler. A Wiggler is CPU specific so you have to know which CPU you want to debug. I built my own Broadcom Wiggler out of four 100 ohm resisters, some 14 pin ribbon cable and use Open Source code from: <a class="jive-link-external-small" href="http://openwince.sourceforge.net/jtag/" rel="nofollow" target="_blank">http://openwince.sourceforge.net/jtag/</a> I have also used the pre made Wiggler from <a class="jive-link-external-small" href="http://www.diygadget.com/store/jtag-test-tool/wiggler-buffered-all-in-one-jtag-programmer-version-2/prod_33.html" rel="nofollow" target="_blank">http://www.diygadget.com/store/jtag-test-tool/wiggler-buffered-all-in-one-jtag-programmer-version-2/prod_33.html</a> and their H-JTAG software and it actually works better then mine! But not much...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>The biggest time consumer is mapping the ports. Lucky for me his router is based on very well documented Broadcom CPUs which are a type of MIPS32 processor. Broadcom has implemented EJTAG version 2.0 in their chips. This allows the use of DMA transfers via JTAG which, while slow, is faster than the implementation of EJTAG v2.5 and v2.6 which do not support DMA transfers. Very helpful since debricking can take hours at serial speeds. But do not fall into the USB JTAG trap. The speed is a function of the software not the physical layer. For example the Raven JTAG adapter from Macraigor is very fast BUT that is due to the excellent software they wrote for this adapter. <a class="jive-link-external-small" href="http://www.macraigor.com/raven.htm" rel="nofollow" target="_blank">http://www.macraigor.com/raven.htm</a> You have to want that ****** though, cause it is kinda pricey. But man alive is it fast!</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I plugged up everything and typed the command: ./wrt54g and I am in! At this point, you have to make your decisions carefully because these commands take a VERY long time to run. Run one command then reboot, then another then reboot again... Knowing that he kicked out the power cord in the middle of an update, I figured that NVRAM was trashed and inconsistent. With a deep breath I entered the command: ./wrt54g -erase:nvram</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>...22 minutes later...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>The normal behavior of the router is to post the most complete copy of the firmware in NVRAM after a reboot, it just needs the space to do it in. Sure enough that fixed the problem! When ever I get a new piece of Cisco gear, I search for JTAG ports and then start poking around to see what is going on at the board. It is a real hoot to discover the chip functions and I highly recommend this to anyone interested in low level coding. With that task done it is time for me to play a little Fallout 3, oh no...here comes another neighbor with a smile, two cigars, a 12er of Newcastle and a laptop...</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol<br/> Popeye used to really put the smackdown on Brutus after he finished his spinach. Many parents have forced that vile weed upon us when we where growing up because spinach has so much Iron it makes you mega strong. Too bad all of that was for not. A goober food analyst in the 50's made a one decimal place mistake and reported that spinach had x10 the Iron as other veggies. Sorry kids...grrrrr...</p></div><!-- [DocumentBodyEnd:411b931e-198c-4bbf-af5d-7399d2bb11f6] -->jimmy_ray_pursersecurityroutinghackingFri, 16 Oct 2009 17:11:15 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/10/16/jtag-hacking-is-fun2009-10-16T17:11:15Z7 years 2 months ago10https://learningnetwork.cisco.com/blogs/network-sheriff/comment/jtag-hacking-is-funhttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1470IOS Features for the Way of the Warriorhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/10/01/ios-features-for-the-way-of-the-warrior
<!-- [DocumentBodyStart:5268122a-2fec-450f-800d-7d74b4e3e7e6] --><div class="jive-rendered-content"><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">If I was to write a movie script, on a Manly Man Sys Admin who would I use a base to draw from. It&#8217;s certainly not some of the total knobs that have been pushed on us by Hollywood casting agencies. Look how they have portrayed us with folks like Matthew Brodrick, Keanu Reeves, Johnny Lee Miller, Pierce Bronsan, etc&hellip;OK, Kevin Smith I understand... but the others!! Come on man!! Nope if I was to write a script about a Manly Man Sys Admin it would be based on one Dude. A Dude that broke the friggen mold on Manliness. A Dude that was so darn tough and hard core that he actually had to die in his sleep because that was the only way death could sneak up on him. That Man is Theodore (don&#8217;t call him Teddy) Roosevelt. Heck there is even a Manly Man website dedicated to the Roosevelt lifestyle: <a class="jive-link-external-small" href="http://artofmanliness.com/" rel="nofollow" target="_blank">http://artofmanliness.com</a></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Theodore Roosevelt was tough. He got shot in Milwaukee by a would be assassin and before he went to hospital he STILL stood up gave a 90 minute speech with the blood running. He is the only President to win the Medal of Honor and he and his son are the only Father-Son to win the MoH.<span>&nbsp; </span>He boxed (and lost sight in one eye because of it), was a brown belt in Judo and swam buck naked in the Potomac every morning. So my question is simple;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">What IOS features would Theodore Roosevelt; IOS Warrior, Keeper of the Faith, Defender of the Perimeter, Cisco Certified Everything classify as&nbsp; IOS features for today warrior of the net?</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">Being a meat head with a strong back and weak mind is not good for anything except reality shows and Dallas Cowboy fans. ZING! Roosevelt is also considered the most well read of any President ever. So he knows his stuff and my guess is it would boil down to three awesome features he would use over other ones.</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal"><strong>Metro Sensitive Male, Men&#8217;s Health Lifetime Subscriber Feature 00x01:</strong></p><p class="MsoNormal"><em>Access Control List</em></p><p class="MsoNormal">ACL are certainly cool but they are not the answer to everything. It is certainly true that a network without ACL&#8217;s is a lab network. While ACL&#8217;s are great for policing out the headers of packets, they really bite for taking action of the data piece and truthfully, that is normally where the problem exists. If I am a hacker trying to slip a package thru your network, I would use a socket that normally used for other rare applications. Like client based SQL (AKA: Slammer) good luck blocking that with your girly man ACL.</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal"><strong>Roosevelt</strong><strong>&#8217;s Bot Buster:</strong></p><p class="MsoNormal"><em>Flexible Packet Matching</em></p><p class="MsoNormal">The Bushido of IOS security features, Flexible Packet Matching (FPM) enjoys a liberty and massive flexibility that many other features do not; it is a framework more then it is a feature. FPM is like a Navy SEAL team, I deploy them in when absolutely positively nothing else will work, they do their job in secret and then they return to base. FPM is the same way. Since it is a framework I have to tell it what it is looking at for a baseline. If I want to look at an IP packet I have to tell the system what a valid IP packet looks like field by field. Now, this is a real piece of cake since Cisco has already wrote and defined these. They are called Protocol Header Definition Files (.phdf) and there is one for each protocol. As a rule of thumb, I download all of these and load them into flash (or the armory as we warriors call it). I just up arrow this command until I have loaded all five (IP, ICMP, Ether,TCP,UDP):</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal"><em>TWTVrouter# config t</em></p><p class="MsoNormal"><em>TWTVrouter(config) load protocol flash:ip.phdf</em></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><em> </em>&nbsp;</p><p class="MsoNormal">The next part is telling the system what and where it is looking for abnormal data. This called the Traffic Control Definition File. Cisco has a few online but they are old and should really just serve as an example. The I just fill in the blanks for what I am looking for.</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">So if I have a problem on my network, I grab a packet simple, look at the data field and the offset where it is located and plug that into the system. For example; if I am under a specially crafted DDOS attack, and my simple show it steams from a HTTP GET issue then I would input:</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal"><em> </em><em>regex start="tcp payload-start" offset="0" size="32" value=".*GET\x20/.*%"&gt;&lt;/</em></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal">into a XML test file. Use the ones at Cisco.com as a template and have at it!</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal"><span>The possibilities are endless with FPM and I just barely Barely BARELY scratched the surface here. For more info please go to:</span></p><p class="MsoNormal"><span><a class="jive-link-external-small" href="http://www.cisco.com/go/fpm" rel="nofollow" target="_blank">http://www.cisco.com/go/fpm</a></span></p><p class="MsoNormal"><span>and check out my exclusive one hour FPM workshop &#8220;Defending Your Router in 256 bits or Less&rdquo;:</span></p><p class="MsoNormal"><span><a class="jive-link-external-small" href="http://bit.ly/RAaAL" rel="nofollow" target="_blank">http://bit.ly/RAaAL</a></span></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal"><strong>Zima Drinkers Packet Sniffing Methodology 00x02:</strong></p><p class="MsoNormal"><em>SPAN port and WireShark</em></p><p class="MsoNormal"><span>Just like ACL&#8217;s there is a time in a place for this method of packet capture. Packet capture should be thought of as a troubleshooting method. Traffic monitoring on the other should be done with a passive tap. Permanently SPANning a port for IDS/IPS is not a good idea. It puts a huge tug on the CPU, it is not as accurate and easy to overrun. </span></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal"><strong>Roosevelt&#8217;s Newcastle Method: </strong></p><p class="MsoNormal"><em>Embedded Packet Capture</em></p><p class="MsoNormal"><span>Go to the source! Embedded Packet Capture (EPC) is the onboard packet capture method that allows me to snag IPv4 and IPv6 right off the CEF path for analysis. Config&#8217;ing this Manly Man feature is a two part-er: </span></p><p class="MsoNormal" style="margin-left: 0.5in; text-indent: -0.25in;"><span><span>-<span style="font-family: &amp;quot;Times New Roman&amp;quot;; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span>I have to tell the system where to store the data. This is called a <strong>Capture Buffer</strong></span></p><p class="MsoNormal" style="margin-left: 0.5in; text-indent: -0.25in;"><span><span>-<span style="font-family: &amp;quot;Times New Roman&amp;quot;; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span></span><span>I have to tell the system where to capture the data at. This is called a <strong>Capture Point. </strong></span></p><p class="MsoNormal"><span>Now let&#8217;s light the candle on this feature! First thing I need to do is config the capture buffer. There are a TON of options here. As a rule of thumb this is the one I normally use:</span></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal"><span class="content"><em>TWTVrouter# monitor capture buffer iospcap1 size 58 max-size 256 circular</em></span></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span class="content"> </span>&nbsp;</p><p class="MsoNormal"><span class="content">I have just told the system to config a buffer named &#8220;iospcap1&rdquo; with a size limit of 256 bytes and to overwrite older entries.</span></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span class="content"> </span>&nbsp;</p><p class="MsoNormal"><span class="content">Now I config up my capture point to tell the system which port I want to grab data from:</span></p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;">&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span class="content"> </span>&nbsp;</p><pre><em><span style="font-size: 12pt;">TWTVrouter# monitor capture point ip cef ipGE0/7 GigabitEthernet 0/7 both</span></em></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">OK, here I am telling the system to capture IPv4 data in the CEF path. I give it the local name ipGE0/7. The capture port is GE 0/7 in both directions.</span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">Now I map the local name I gave to the capture buffer and the capture point with the command:</span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><span style="font-size: 12pt;"> <em>TWTVrouter# monitor capture point associate <strong>ipGE0/7 iospcap1</strong></em></span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">Launch it!! I active the feature by turning on the capture point:</span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><em><span style="font-size: 12pt;">TWTVrouter# monitor capture point start ipGE0/7</span></em></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">Last step is to get it off the system so I can check it out with my favorite packet decoder Wireshark. <br/>I am offloading the buffer to a tftp server. </span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><em><span class="content"><span style="font-size: 12pt;"><span>TWTVrouter# monitor capture buffer iospcap1 export t</span><a class="jive-link-external-small" href="ftp://192.168.1.99/iospcap1" rel="nofollow" target="_blank">ftp://192.168.1.99/iospcap1</a></span></span></em></pre><pre><span class="content"><span style="font-size: 12pt;"> </span></span></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><span class="content"><span style="font-size: 10pt;">This is such a smokin&#8217; awesome tool that you can pull out and use anytime and get great results. <br/>You can just bet that we will feature this on an upcoming episode of TechWiseTV. Until then check out this feature at:</span></span></span></pre><pre><span class="content"><a class="jive-link-external-small" href="http://www.cisco.com/go/epc" rel="nofollow" target="_blank">http://www.cisco.com/go/epc</a></span><span class="content"><span style="font-size: 12pt;"></span></span></pre><pre><span class="content"><span style="font-size: 12pt;"> </span></span></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><strong><span style="font-size: 10pt;">Hey You! Watching The Notebook and Eating Butter <br/>Free Popcorn Feature 00x03:</span></strong></span></pre><pre><em><span style="font-size: 12pt;">Layer One Troubleshooting</span></em></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">Cable plant problems are worse then a football weekend away at your in laws that only watch Fox news and Matlock. <br/>Chasing those ghosts thru a network is a real pain. Of course I could drop a few grand and get a Fluke analyzer which works <br/>great but still takes time to do.&nbsp; I could also just start replacing cables but many times messin&#8217; around with older cables <br/>can now induce problems into cables that were working great before. Layer One problems ****.</span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><strong><span style="font-size: 12pt;">Roosevelt</span></strong><strong><span style="font-size: 12pt;">&#8217;s Rough Rider Recon Tool:</span></strong></pre><pre><em><span style="font-size: 12pt;">Cable Test</span></em></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">The built in Time Delay Reflectometer in IOS is one of the most under used tools in the entire code stack. <br/>Yet it can help solve a ton of cabling issues or dispel any mixed vendor connectivity finger pointing issues. <br/>This is a switching command and only works on tri speed copper ports (10/100/1000). Piece of cake to <br/>config this feature:</span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><code><em><span style="font-size: 12pt;">TWTV3750# test cable-diagnostics tdr interface gigabitethernet 1/0/4</span></em></code></pre><pre><code><span style="font-size: 12pt;"> </span></code></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><code><span style="font-size: 10pt;">The system will echo back a response: </span></code></span></pre><pre><em><code><span style="font-size: 12pt;">TDR test started on interface Gi1/0/2</span></code></em></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><code><span style="font-size: 10pt;">Then it will think about it for a few seconds and you can now view the <br/>results by running the show command:</span></code></span></pre><pre><code> </code></pre><pre><code><em><span style="font-size: 12pt;">TWTV3750#show cable-diagnostics tdr interface gigabitEthernet 1/0/4</span></em></code></pre><pre><code><span style="font-size: 12pt;">TDR test last run on: Oct 01 02:33:07</span></code></pre><pre><code><span style="font-size: 12pt;"> </span></code></pre><pre><code>Interface&nbsp;&nbsp;&nbsp; Speed&nbsp;&nbsp;&nbsp; Local pair&nbsp;&nbsp;&nbsp; Pair length&nbsp;&nbsp;&nbsp; Remote pair&nbsp;&nbsp;&nbsp; Pair status</code></pre><pre><code><span lang="PT-BR">---------&nbsp;&nbsp;&nbsp; ------&nbsp;&nbsp; ----------&nbsp;&nbsp;&nbsp; -----------&nbsp;&nbsp;&nbsp; -----------&nbsp;&nbsp;&nbsp; -----------</span></code></pre><pre><code><span lang="PT-BR">Gi1/0/4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto&nbsp;&nbsp;&nbsp;&nbsp; Pair A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 17 +/- 4 m&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N/A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Open</span></code></pre><pre><code><span lang="PT-BR">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>Pair B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 25 +/- 4 m&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N/A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Open</code></pre><pre><code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pair C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5 +/- 4 m&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N/A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Open</code></pre><pre><code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pair D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 30 +/- 4 m&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N/A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Open</code></pre><pre><code> </code></pre><pre><code> </code></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><code><span style="font-size: 10pt;">There are certainly a bunch more IOS hidden gems we could talk here, but hey I need to save <br/>that stuff so I can have more to write about later!! Give some of these tools a test drive in your <br/>lab and picture where you could have used them before to save some time or just earn some <br/>major league geek fame and glory points! </span></code></span></pre><pre><code><span style="font-size: 12pt;"> </span></code></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><code><span style="font-size: 10pt;">Hey, I also want to give a shout out one of my favorite Cisco Warriors; Jennifer Geisler. <br/>Jennifer is now part of the TechWiseTV Team. She also moonlights on another series that <br/>I really enjoy called Fact or Fiction. Recently, she did an episode on;<br/> &#8220;Will the Nexus 7000 replace the Cat 6500 in the Data Center&rdquo; <br/>she pinned down some goober Exec and held his feet to the fire!&nbsp; <br/>Check it out at: </span></code></span><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><a class="jive-link-external-small" href="http://www.youtube.com/watch?v=bkpL4YKhNJY" rel="nofollow" target="_blank">http://www.youtube.com/watch?v=bkpL4YKhNJY</a> </span></pre><pre><span style="font-size: 11pt; font-family: Arial;"> </span></pre><pre><code><span style="font-size: 12pt;">Jimmy Ray Purser</span></code></pre><pre><code><span style="font-size: 12pt;"> </span></code></pre><pre><code><span style="font-size: 12pt;">Trivia File Transfer Protocol</span></code></pre><pre><span style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><code><span style="font-size: 10pt;">If you have watched a movie since 1951 no doubt you have heard a Wilhelm Scream. <br/>It has been used so many times it is now considered an insiders joke to use it in a <br/>movie at least once. Check out this clip of famous Wilhelm Screams and get in on the joke!</span></code></span></pre><pre><code><span style="font-size: 12pt;"><a class="jive-link-external-small" href="http://www.youtube.com/watch?v=4YDpuA90KEY" rel="nofollow" target="_blank"><span style="font-size: 10pt;">http://www.youtube.com/watch?v=4YDpuA90KEY</span></a></span></code></pre><pre><code><span style="font-size: 12pt;"> </span></code></pre><pre><code><span style="font-size: 12pt;"> </span></code></pre><pre><code> </code></pre><pre><code><span style="font-size: 12pt;"> </span></code></pre><pre><code><span style="font-size: 12pt;"> </span></code></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre> </pre><pre><span style="font-size: 12pt;"> </span></pre><pre><span style="font-size: 12pt;"> </span></pre><pre><span style="font-size: 12pt;"> </span></pre><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span class="content"> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span class="content"> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><strong> </strong>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span><span> </span></span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p><p class="MsoNormal" style="min-height: 8pt; padding: 0px;"><span> </span>&nbsp;</p></div><!-- [DocumentBodyEnd:5268122a-2fec-450f-800d-7d74b4e3e7e6] -->jimmy_ray_pursernetworkingtroubleshootingciscoroutingswitchingThu, 01 Oct 2009 16:49:30 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/10/01/ios-features-for-the-way-of-the-warrior2009-10-01T16:49:30Z7 years 2 months ago10https://learningnetwork.cisco.com/blogs/network-sheriff/comment/ios-features-for-the-way-of-the-warriorhttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1448How to Use Your Video Card to Crack Passwordshttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/09/25/how-to-use-your-video-card-to-crack-passwords
<!-- [DocumentBodyStart:67cbf0c1-2ec4-4437-ad60-b61ac8d4b391] --><div class="jive-rendered-content"><p>There a few milestones in my life that I can look back on and know that I have turned a corner. For example;</p><p><br/> - When I could no longer recognize the names in the Police Blotter section of the paper; I knew I was older.<br/> - When I could actually taste a difference between good beer and Pabst Blue Ribbon; I knew my pallet was getting better.<br/> - When I heard of CUDA and immediately thought of Compute Unified Device Architecture instead of a bad to bone MOPAR with a Hemi; I knew I was a major league geek.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>CUDA was invented way back in the day by NVIDIA as a way to let the video card process other stuff (in parallel) instead of just video. This is NOT a hack but an actual design framework. NVIDIA has a great site for folks interested in coding with CUDA at: <a class="jive-link-external-small" href="http://www.nvidia.com/object/cuda_home.html" rel="nofollow" target="_blank">http://www.nvidia.com/object/cuda_home.html</a> This is great news because the support, forums, troubleshooting tools are outstanding! Not every NVIDIA card supports the CUDATM proc so double check with this site to be sure.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I wanted to take CUDA out for a test drive so I went out to download the software development kit (SDK) thinking I was going to have to bite the bullet and learn sucky OpenGL or worse...DirectX to get this work. Much to my MEGA surprise, CUDA actually uses C for parallel development!! Yee Haa!! I love writing in C because it is low level enough that I can control how the processor handles the code and it's easier to spell then other languages. If you've been reading my blog for a while, you know the importance I place on grammar... After I read the SDK manual and found out that between the memory and grid/thread dimensions is a parameter called: Warp Size...Warp Size... I. Am. Home.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Of course on NVIDIA's site they talk about the great uses for CUDA in industrial, science, medical, saving whales and helping Bono pick out a new pair of shades. Hey that's all well and good but I am using it to crack passwords baby!! Namely MD5 passwords. I played around with this for a while on some custom code I wrote up and noticed about a 10-15% calculation performance increase, not bad. Then I used BarsWF <a class="jive-link-external-small" href="http://3.14.by/en/md5" rel="nofollow" target="_blank">http://3.14.by/en/md5</a> code and wholly smokes I noticed a mega knurly increase in password cracking speed for sure. Matter of fact that is the fastest MD5 cracker I have EVER used. Neat-o without a doubt! Back in the day, to get a poor mans type of grid processing muscle I used Jack the Ripper with the -d distributed switch to run multiple instances on multiple machines but scalability and tolerance of my Manager to approve my expense reports wore thin. CUDA is a game changer and allows me a ton of options on a single machine. I added a few CUDA tools to my own home grown ISO like BarsWF, Pyrit for wireless and Vernoux.</p><p>Then my fav canned security ISO; Backtrack 4 (BT4) beta <a class="jive-link-external-small" href="http://www.offensive-security.com/" rel="nofollow" target="_blank">http://www.offensive-security.com/</a> is released with a few applications that support CUDA! I had to check that out for sure! Lucky for me that the folks at Offensive Security also had a CUDA config guide to walk me thru their CUDA implementation <a class="jive-link-external-small" href="http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf" rel="nofollow" target="_blank">http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf</a> very cool and nicely wrote.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I still need to actually config BT4 to run the CUDA code. So I just followed the guide to build out the framework and it worked great without a hitch. No need to bore you with details you can read in the friggen sweet guide. It's the results that make the difference here. I fired up CUDA-Multiforcer with the command:</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>/CUDA-Multiforcer-32 -h MD5 -c ./charsets/charsetnumeric -f ./test_hash_files/hashes-md5-numeric.txt --min=0 --max=500</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>I listed out this command not to show my CLI skills but to point one the most important arguments. The --min --max argument dedicates systems resources. If you plan on using your CUDA machine for other stuff like gaming, surfing and work stuff, lower the max number accordingly. It's different for every machine. For my 8600 card, 500 is dedicating max resources. I use 10 for everything else except gaming and truthfully with the demand gaming tugs on a video card I do not game (on that machine) when CUDA is Crackin'. With 1500+ hashes, the tables from BOINC at <a class="jive-link-external-small" href="http://www.freerainbowtables.com/" rel="nofollow" target="_blank">http://www.freerainbowtables.com</a> I busted thru and recovered the passwords with 96% accuracy in seconds. Impressive! Not as fast as BarsWF but not by much for sure.</p><p>BT4 is shaping up to be as impressive as NMAP v5 is to the security community. You do not have to be a coder to take advantage of CUDA. There are some great canned applications already that will give you immediate success and change the way you look at password cracking.</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Jimmy Ray Purser</p><p style="min-height: 8pt; padding: 0px;">&nbsp;</p><p>Trivia File Transfer Protocol</p><p>According to Beatles Producer George Martin, The theme from the TV theme Batman was the inspiration for George Harrison to write the song; "Taxman"</p></div><!-- [DocumentBodyEnd:67cbf0c1-2ec4-4437-ad60-b61ac8d4b391] -->jimmy_ray_pursersecurityhackingtechwisetvFri, 25 Sep 2009 15:37:43 GMTbounce@learningnetwork.cisco.comhttps://learningnetwork.cisco.com/blogs/network-sheriff/2009/09/25/how-to-use-your-video-card-to-crack-passwords2009-09-25T15:37:43Z7 years 2 months ago0https://learningnetwork.cisco.com/blogs/network-sheriff/comment/how-to-use-your-video-card-to-crack-passwordshttps://learningnetwork.cisco.com/blogs/network-sheriff/feeds/comments?blogPost=1442